CIA Caught Sneaking Cookies

CIA removes forbidden Web tracking software AP / CBS

The CIA removed software from one of its Web sites this week after a private group discovered that the agency was using banned Internet tracking technology called "cookies," said Mike Stepp, who manages the CIA's public Web site.

"It was a mistake on our part. It was not intentional," Stepp said Tuesday. "The public does not need to be concerned that the CIA is tracking them. We're a bit busy to be doing that."

"There is no evidence that the CIA was in fact using personal information against people or even collecting it," said CBS News Technology Consultant Larry Magid, "but the mere fact that they could collect it, that they had put these cookies on people's hard drives, is a violation of their stated privacy policy, and it's good that they're changing the practice."

Cookies are small software files often placed on computers without a person's knowledge. The files can make Internet browsing more convenient by letting sites distinguish user preferences, but they have been criticized for violating privacy because they can track Web surfing.

The government issued strict rules for how federal agencies may use cookies in 2000 after it was discovered that the White House drug policy office had used the technology to track computer users viewing its online anti-drug advertising. The rules ban the use of "persistent" cookies, which track Web habits over years.

Daniel Brandt discovered on Thursday that a CIA site had placed one of those long-lasting cookies on his computer. Brandt is president of Public Information Research, a private San Antonio-based group that preserves publications related to intelligence and business.

Brandt said he discovered the cookie, which keeps working until 2010, when he was looking at the Web site for the CIA's Electronic Reading Room, which provides access to previously released agency documents.

"They're not supposed to be doing this," Brandt said. He said he was particularly concerned because the reading room site allows users seeking documents to search for particular words.

"The keywords you put in reveal an incredible amount about what you're looking for and what your interests are," Brandt said. "It would be very, very tempting to track that kind of information."

A notice on the CIA Web site states, "The Central Intelligence Agency Web site does NOT use the 'cookies' that some Web sites use to gather and store information about your visits to their sites."

Brandt sent e-mail to the CIA with his concerns and the agency responded on Monday, removing the cookie software and some other temporary cookies that were discovered.

Stepp said an outside company had redesigned the reading room Web site, which was posted to the Internet on Jan. 29.

"Unbeknownst to us, it was loaded with some software, commercial off-the-shelf software used for Web analysis," Stepp said. The software included a cookie that tracked repeat visitors to the site.

To make sure no improper information about site visitors had been recorded, Stepp said two sets of log files would be destroyed.

Congress issued a study last summer that found 300 cookies still on the Web sites of 23 agencies despite the government ban.
  • Lloyd Vries

Comments